We are in a virtual environment but we set a physical port up dedicated for direct access. We then shoved the thing out in front of the PIX with Panda EPP on it and kept it off the network. We know you are supposed to have a Forefront server or something in front of it. We did it because it was virtual and we could reclone it in 5 minutes - and well, we were curious as to how long it would be out there before it was scanned.

10 seconds. Scanned and attacked. 10 seconds....

So we are still planning on getting it setup for Sharepoint etc., but we are going to shove a hardened solution in front of it.

Any firewall should work, though ForeFront will give you some extra capabilities (such as the ability for the clients to use devices behind the firewall that only support IPv4). I certainly wouldn't run it directly on the wire without a firewall though.